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(54) Copy protection apparatus and method 

(57) An apparatus and method of copy protection 
for use in digital data recorders such as DVD-RAM 
recorders (30), which includes using DVD disks (1) with 
unique serial numbers stored in a read only part (2) of 
the disk for recording data. The serial number of each 
disk together with other copy contrdl information is digit- 
ally signed. The digital signature is verified at the DVD 



player/recorder (1 3, 30) to check whether the disk being 
played is an original disk or an authorised copy. If not. 
play back and recording of the data on the disk is pre- 
vented. The use of copy control information also allows 
the implementation of a copy generation management 
system. 
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Description 

[0001 ] This invention relates to copy protection, partic- 
ularly but not exciusively to an apparatus and method 
for protecting digital data on a data storage medium s 
from unauthorised copying. 

[0002] Although digital media such as audio CDs and 
CD-ROMs allow perfect reproduction of digital data 
stored on them, the problems of controlling unauthor- 
ised reproduction have so far been mitigated to some io 
extent by the fact that these media have generally only 
been available in a read-only format, so that the poten- 
tial infringer needed specialist recording and CD-press- 
ing equipment to make high quality copies. 
[0003] However, the introduction irrto the consumer is 
market of recordable digital storage technology, includ- 
ing CD-R (Write Once) and CD-RW (Rewritable), as 
well as Digital Versatile Disk (DVD) technology, which 
aims to make low cost digital recorders widely available, 
has raised the need for sophisticated copy protection 20 
systems, to prevent extensive piracy. It is envisaged that 
DVD recorders, known as DVD-RAM recorders, will 
eventually replace the various different forms of cur- 
rently available storage equipment, including computer 
hard-disk drives and video cassette recorders. 25 
[0004] The principles of DVD technology are well 
established, with DVD-RAM recorders such as the 
Hitachi GF-1000 series available on the market. Refer- 
ence is directed to "DVD Demystified", by Jim Taylor, 
published by McGraw-Hill. 1998, for further information 30 
on DVD principles. 

[0005] Without any form of copy control, films, audio 
recordings and other digital content distributed on DVD 
disk or CD-ROM, can be easily recorded by a DVD- 
RAM, or other digital recorder, onto a digital data stor- 35 
age medium such as a recordable DVD disk, from which 
they can be further copied numerous times onto other 
DVD disks, without any degradation in the copy quality. 
[0006] To prevent unauthorised copying, devices sold 
to consumers inccSrporate copy protection mechanisms. 40 
For exarrple, copy protection information can be 
embedded in the data sector of a DVD disk, as illus- 
trated in "DVD Demystified", by Jim Taylor at page 128. 
A possible method of copy control using such embed- 
ded information is for the digital content provider to sup- 45 
ply the film or other digital content on a read-only 
medium, for exanrple a DVD-ROM disk, with a "Never- 
Copy" flag embedded in the data. The DVD 
player/recorder will check for the presence of this flag 
and. if an attempt is made to copy the disk when the flag so 
is present, the recording circuitry will prevent recording. 
However, this type of protection can be circumvented by 
using DVD- ROM/RAM drives as peripherals for comput- 
ers, so as to enatjie copying of the data from an original 
disk onto a recordable disk on a bit-by-bit basis, includ- ss 
ing the copy protection information. 
[0007] To prevent such bypassing of the protection 
scheme, some DVD players are designed to check for 



the presence of Never-Copy flags on recordat>le disks 
as opposed to ROM disks. The presence of sucn a flag 
on a recordable disk is taken to indicate that the disk is 
an unauthorised copy of an original ROM disk so that 
playoack of the data on the disk will be prevented. On 
the other hand, if the player detects that a ROM disk is 
being used, it will play back the data on the disk. 
[0008] However, this scheme works on the premise 
that a computer user copying the disk will copy all of the 
data on a bit-by-bit basis, induding the Never-Copy flag. 
The scheme can still be easily bypassed by the compu- 
ter user who knows or determines where the copy con- 
trol information is located on an original ROM disk, and 
who can therefore change or ovenwrite this information 
when making a copy of the original disk onto a recorda- 
ble disk. 

[0009] A further problem with the above described 
protection scheme is that it is inflexible, with no way of 
providing for a copy generation management system 
(CGMS), which governs the extent to which copying is 
permitted. 

(001 0] For example, there is no way of providing-for 
the contents of an original data storage medium to be 
copied to a back-up medium, while preventing the pro- 
duction of a further generation of copies from the back- 
up medium. 

[0011] The present invention aims to address tiie 
above problems. 

[001 2] Accofding to the present invention, tiiere is pro- 
vided apparatus for processing data stored on a storage 
medium which has a medium identifier, the apparatus 
including means for controlling the processing of the 
stored data in dependence on the relationship between 
the medium identifier and verification information for tiie 
medium identifier stored on the medium. 
[001 3] The medium identifier may be a first medium 
identifier and the verification information can comprise a 
second medium identifier, so that the apparatus can 
prevent playback or recording if the first and second 
medium idemifiers are different. 
[0014] In the case of an original disk, the second 
medium identifier may be a copy of the first medium 
identifier. 

[001 5] The apparatus may include means for authen- 
ticating the verification information. The verification 
information may. for example, be digitally signed, and 
the authentication means may. comprise means for ver- 
ifying a digital signature. 

[0016] The present invention further provides a 
method of processing data stored on a storage medium 
which has a medium identifier and verification informa- 
tion for the identifier stored on the medium, conrprising 
controlling the processing of the stored data in depend- 
ence on the relationship between tiie medium identifier 
and tiie verification information. 
[0017] The present invention also provides recording 
apparatus for recording data onto a data storage 
medium having a medium identifier, comprising means 
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for producing verification infornnation for the medium 
identifier, said verification information to be stored on 
the medium. 

[0018] The recording apparatus may include means 
~for-controlling record! ng onto-the medium in. response to— 5- _ 
copy control data stored on a medium from which the 
data is being recorded. 

[001 9] The present invention additionally provides a 
method of recording data onto a data storage medium 
having a medium identifier, comprising producing verrfi- io 
cation information for the medium identifier to be stored 
on the medium. 

[0020] According to the present invention, there is fur- 
ther provided a data storage medium cbrrprising a 
medium identifier and verification information for the is 
identifier stored on the medium. 

[0021 ] Advantageously, in accordance with the inven- 
tion, digital data on a data storage medium can be pro- 
tected from unauthorised copying even if the copy 
protection information in the data is falsified. In addition, 20 
the protection scheme provides for the generation of 
legitimate copies, such as backup copies. 
[0022] Embodinr>errts of the invention will now be 
described by way of example with reference to the 
accompanying drawings m wfiich 25 

Figure 1 is a schematic diagram of a DVD disk 
according to the invention; 

Figure 2 is a schematic bkxrk diagram of apparatus 
used to manufacture the disK of Figure 1 . 30 
Figure 3 is a schenratic t^lock diagram illustrating an 
example of the recording apparatus to be used by 
content providers to produce copy protected disi<s; 
Figure 4 is a flow diagram illustrating the operation 
of the recording apparatus of Figure 3; 35 
Figure 5 is a schematic block diagram of a DVD 
player according to the invention; 
Figure 6 is a flow diagram illusfrating the operation 
of the player of Figure 5; 

Figure 7 fe a flow diagram illustrating the detailed 40 
operation of the recording apparatus of Figure 3 
and player of Rgure 5 based on a given example of 
copy contrdi information; 

Figure 8 is a schematic block diagram of recording 

apparatus to be used by content providers accord- 45 

ing to a further example of the invention; 

Figure 9 is a flow diagram illustrating tiie operation 

of the recording apparatus of Figure 8; 

Figure 10 is a schematic block diagram of a data 

recording device according to the invention to be so 

used in a consumer device: 

Figure 11 is a flow diagram illusti-ating the operation 

of the recording apparatus of Figure 10; 

Figure 12 is a flow diagram illustrating the detailed 

operation of the recording apparatus of Figure 8 for 55 

the case where copying of an original disk is not 

permitted: 

Figure 13 is a flow diagram illustrating the detailed 



operation of the player of Figure 5 where the disk 
being played is recorded in accordance with the 
recording operation illusti'ated in Figure 12; 
Rgure 14 is a flow diagram illustrating the detailed 

operation-of-the-recording-apparatus„of-Figure_8_for_ 

the case where one generation of copies from an 
original disk is permitted; 

Figure 15 is a flow diagram illustrating the detailed 
operation of the player of Figure 5 where the disk 
being played is recorded in accordance with the 
recording operation illustrated in Figure 14; 
Rgure 16 is a flow diagram illustrating tiie detailed 
operation of the recording device of Figure 10 for 
the case where the data being recorded was itself 
recorded in accordance with the recording opera- 
tion illustrated in Rgure 14; and 
Rgure 17 is a ftow diagram illusti-ating the detailed 
operation of the player of Figure 5 where the disk 
being played is recorded in accordance with the 
recording operation illustrated in Figure 16. 



[0023] Refen-ing to Rgure 1 , a DVD disk 1 according 
to the invention conprises an identification area 2 and a 
data area 3. The identification area is located on a read- 
only part of the^jisk, so that only the manufacturer of the 
disk can write information to this area during manufac- 
ture of the disk 1. For example, the identification area 2 
can be the burst cutting area of a DVD disk, as further 
described in "DVD Demystified", by Jim Taylor, at pages 
125 - 126. 

[0024] Referring to Figure 2. a blank DVD disk 4 is first 
produced by conventional manufacturing steps by a 
medium generator 5. DVD media manufacturing proc- 
esses are similar to those used to produce CD-R and 
CD-RW disks. A medium identifier generator 6. for 
example a computer running serial number generation 
software^ produces a unique identifier, for example, a 
serial number, which is written to the burst cutting area 
2 of tine blank DVD disk 4 by a medium identifier printer 
7 so as to produce the blank DVD disk 1 ready for data 
recording. The medium identifier printer 7 is, for exam- 
pie, a laser configured to cut a series of bar-code like 
stripes in the txjrst cutting area 2 to represent the serial 
nunnber. While, in practice, the identifier may well be 
unique, this is not an essential requirement, the criterion 
being that, to prevent extensive copying, it should be 
sufficiently unlikely that a consumer will be readily able 
to obtain disks having the same identification number. 
[0025] The accessibility of the data area 3 of the DVD 
disk 1 depends on the type of disk involved. In tiie case 
of a DVD-ROM disk, this area is read-only. A DVD-ROM 
disk can be produced by stamping it from a nr^ster copy, 
as described in "DVD Demystified", by Jim Taylor, at 
pages 1 21 - 123. This is the most cost-effective process 
when producing a very large numt>er of disks. Other 
manufacturing techniques for DVD-ROM disks enable 
the incorporation of unique data onto each individual 
disk 
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[002f:] In the case of a DVD-R (Write-Once) disk, the 
manufacturer produces a biank disk which includes, for 
example, a unique serial number in the identification 
area 2. The data area 3 is however available to be writ- 
ten to, once only, by the content provider, using conven- 
tional data writing apparatus. Once the content provider 
has written data to the disk, it essentially behaves as a 
DVD-ROM, and cannot be rewritten by the consumer. 
[0027] Arternatively, the disk 1 may be a DVD-RAM 
(Rewritable) disk, typically distributed as a blank disk for 
recording and re-recording by consumers. 
[0028] The principles behind the production of a pre- 
recorded disk for distribution to consumers are illus- 
trated below by reference to a DVD-R disk 1 , for exam- 
ple produced by the manufacturing arrangement 
illustrated in Figure 2. as a result of which the content 
provider receives blank disks from the disk manufac- 
turer, each having a unique disk identifier, for example, 
a serial number, written in the identification area 2 at the 
manufacturing stage. The content provider can then 
record a film, audio data or other digital content, gener- 
ically refenred to herein as data, and other relevant infor- 
nation to the disk 1 , as explained by reference to the 
recording apparatus 8 illustrated in Figure 3. 
[0029] One example of the recording apparatus 8 to 
be used by the content provider comprises a reading 
device 9 for reading the disk identifier from the read-only 
part 2 of the DVD disk 1 . a copy control information 
(CCI) generator 10 and a recording module 11 for 
recording the generated copy control information 
together with the data from a data archive 12 onto the 
disk1. 

[0030] Referring to Figure 4, which describes the 
operation of the recording apparatus 8, at step si , the 
reading device 9 reads the disk identifier from the disk 1 
being recorded and passes the identifier to the CCI gen- 
erator 10. which produces verification information for 
the disk identifier in the form of copy control information 
(s2). At step s3. the recording module 1 1 reads the data 
from the data archive 12 and records this onto the disk 
1 together with the copy control information from the 
CCI generator 10 (s4). The resulting pre-recorded disk 
1 is referred to herein as the original disk. 
[0031] Referring to Figure 5, a DVD player 13 accord- 
ing to the invention comprises a reading device 14. a 
CCI verifier module 15 btkI a piaytjack device 16. Refer- 
ring to Figure 6, which describes the operation of the 
player 13, at step s5, the reading device 14 reads the 
data, copy control information and the disk iderrtifier 
from the disk 1 being played and sends this information 
to the CCI verifier module 1 5. At step s6, the verifier 
nrKxjule 1 5 attempts to verify the copy control informa- 
tion, namely to determine from the copy control informa- 
tion and the disk identifier whether the disk being played 
is an original disk an authorised copy or an unauthor- 
ised copy. If verification is successful, control passes to 
step s7 and the playback device 16 plays back the data. 
If verification is unsuccessful, control passes to step s8 



and playback is prevented, since failure of the verifica- 
tion process is taken to mean that the disk being read is 
an unauthorised copy. 

[0032] In all of the examples of the invention described 
5 herein, devices required to read and write data to DVD 
disks, such as the recording module n. reading 
devices 9, 1 4 and the playback device 1 6. can be imple- 
mented by conventional circuitry as currently used in 
commercially available DVD player/recorders such as 
10 the Hitachi GF-1000 series. The functionality of the 
bk3Cks required to implement the invention, such as the 
CCI generator 10 and CCI verifier 15 can be imple- 
memed in software on conventional microprocessor 
based circuitry 

75 [0033] One example of the copy control information 
which can be recorded onto the disk 1 is simply a copy 
of the original disk identifier read by the reading device 
9 in the recording apparatus 8. Referring to Figure 7, at 
step s9. the reading device 9 reads a disk identifier S^j 

20 from the original disk and at step slO stores as the 
copy control inforn^tion. At step si 1 the recording mod- 
ule 11 reads data from the data archive 12 and then . 
records the data and to the data area 3 of the disk 1 
(si 2). At step si 3. the reading device 14 in the player 13 

25 reads Sp. the disk identifier of the disk being played, 
from the txjrst cutting area 2 of the disk 1 and sends it to 
the CCI verifier 15, It also reads the copy control infor- 
mation, namely Sd, from the data area 3 of the disk 1 . At 
step s14. the CCI verifier 15 compares the actual disk 

30 identifier Sp with the copy of the original disk identifier 
Sc(. If the original disk has not been copied, the two iden- 
tifiers, for example the serial number of each disk, will 
be iderrtical and a signal will be sent to the playt^ack 
device 16 (si 5) indicating tiiat the disk can be played. 

35 On the other hand, if the original disk has been copied, 
so that all the data on it has been transferred to a new 
disk, then the disk identifier Sp in the burst cutting area 
2 of the new disk wilt be different from the original disk 
identifier copied over to the data area 3 of the new 

40 disk. In this case, a signal is sent to the playback device 
16 (Si 6) that the disk is an unauthorised copy and 
therefore cannot be played. 

[0034] The use of a copy of the original disk identifier 
as the copy control information provides a form of play- 

45 back copy conti'ol similar to the use of a Never-Copy flag 
as described above. Therefore, while the making of a 
copy of an original disk is not itself prevented, a DVD 
player according to this example will not play back the 
data on the copy. Furthernrore. the making of a second 

50 generation of copies from the copied disk can itself be 
prevented by a recording device which provides the 
same verification check as the player 13, as illustrated 
at steps si 4 to si 6. This works because the recording 
device recognises a first generation copy as one in 

55 Which Sp * Sd and so can prevent further recording. 
[0035] To prevent a consumer from bypassing the pro- 
tection provided by ttie copy control method described 
above, it is envisaged tiiat the copy control information 
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should itself be protected against access and alteration. 
[0036] An example of a suitable form of protection is 
the use of a digital signature, which can be based on a 
public key cryptographic system. Methods of forming 
- —digital signatures- are well- known and digital- signature - 
software is commercially available, for example from 
RSA Data Security Inc, California. USA, which uses the 
well-known RSA public-key algorithm. The principles of 
public key systems and their use in digital signatures 
are set out below. For a more detailed description, refer- 
ence is directed to Bruce Schneier. "Applied Cryptogra- 
phy". John Wiley & Sons. Inc. 1996. ISBN 0-471-1 1709- 
9. 

[0037] Public key encryption is based on the use of an 
asymmetric pair of mutually inverse mathematical oper- 
ations known as a key pair. 

[0038] For example, assuming that E is a public key 
algorithm, then the notation E^Cm) signifies the encryp- 
tion of a message m using a key K. 
[0039] If K and K"^ are key pairs for E. then 
E j^(E ^ , (m)) = m . So a message encrypted with a key 
K"\ referred to herein as the private key, can be 
decrypted by applying the key K. referred to herein as 
the public key Public key cryptography is based on the 
fact that it is currently not computationally feasible to 
calculate one part of the key pair from the other part if 
the bit length of the key is large enough, for example 
512 bits or larger. 

[0040] A digital signature can be based on a public key 
algorithm and a one way hash functran. A hash function 
is any function which takes a variable-length input string 
and converts it to a fixed-length and generally smaller 
output string known as the hash value. A one way hash 
function is a function for which, given a message m. it is 
easy to calculate a hash value c = H(m) , but for which it 
is difficult to calculate m. starting from a given hash 
value c. It is generally computationally unfeasible to cal- 
culate m from c if the output bit length of H is large 
enough, for example 128 bits or larger. Reference is fur- 
ther directed to Bruce Schneier, "Applied Cryptogra- 
phy", pages 29 to 3i and 38 to 39, and to D.W. Davies 
and W.L. Price. The Application of Digital Signatures 
Based on Public-Key Cryptosystems". Proceedings of 
the Fifth International Computer Communications Con- 
ference. October 1980. pp. 525 - 530 and National 
Physical Laboratory Report DNACS 39/80. December 
1980. 

[0041] The way in which a digital signature can be 
used is illustrated below. 

[0042] For example, X v^shes to send a message to 
Y. We assume that the content of the message is not 
secret, but that Y wishes to be sure that the message 
originated from X and that it is unaltered by any third 
party. Therefore. X generates key pairs K and K'^ for 
public key algorithm E. X keeps the private key K'^ 
secret and opens key K to the public. Then X generates 
the message m and signs it digitally, by: 



1. calculating c = H(m) . where H is a known hash 
function 

2. encrypting c by E using private key K"^ ie. 
digital signature = E -i (c) 

[0043] The digital signature is referred to herein as 
SigK-i(ni), 

70 

so that the above equation can be written as 
Sig i(m)= E .,(c) 

[0044] When Y receives the message m. he can verify 
the digital signature using X*s public key K, by: 

15 

1. calculating jc' = H{m) 

2. decrypting 



using key Ktoobtain c. ie. c = Ej^(E^.,(c)) - . . 
3. comparing c and c* ■ 

25 [0045] If c = c\ the verification succeeds, otherwise it 
fails. 

[0046] The verification will fail if the message m has 
been changed in any way, since in that case the hash of 
the message C will change. Alternatively, the verification 
30 will fail if the digital signature has been falsified. Since X 
is the only person who has access to the private key K' 
\ X is the only person capable of generating the correct 
digital signature which can be verified by the public key 
K. 

35 [0047] Referring again to Figure 3. to apply the above 
described form of protection in the simple case outlined 
above of using a copy of the original disk identifier to 
verify the authenticity of a disk being played, the CCI 
generator 10 in the recording apparatus 8 includes an 

40 input from a key pair generator which generates a key 
pair K,K\ Key pair generator software, including gen- 
erators for specific algorithms such as the DSA and 
RSA algorithms, is widely available cormiercially, and 
can. for example, be implemented in the Java™ pro- 

45 gramming language. The Java™" API. for exannple. 
includes a key pair generator class known as java.secu- 
rityKeyPairGenerator. A disk identifier S^. where S^ 
represents the disk identifier of the original disk, is read 
from the disk 1 by the reading device 9 and a digital sig- 

50 nature 

SigK-i(Sd) • 

55 is formed using the private key K'"* and a suitable one- 
way hash function H(x) which is fixed at both the record- 
ing apparatus and the player. 

[0048] An example of a suitable hash function is the 
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Secure Hash Algorithm (SHA) described at pages 442 • 
445, "Applied Cryptography", referred to above. This 
algorithm accepts a variable length input bit stream and 
outputs a 160 bit hash. Typically knowledge of the hash 
function decided on will be limited to the recording 
apparatus/player equipment vendors on the basis of a 
non-disclosure agreement. The digital signature 

SigK-i(Sd) 

is recorded onto the disk 1 by the recording module 1 1 
together with the public key K. 

[0049] Referring again to Figure 5. at the player 13, 
the reading device 14 reads the public key K and 

SigK-i(Sd) 

from the data area 3 arxj the disk identffier Sp from the 
identifier area 2 of the disk 1 being played. The CO ver- 
ifier 15 calculates the hash value H(Sp) and uses K to 
decrypt 

SigK'(SJ 

so as to obtain the hash value H(Sct) H then compares 
these two hash values. H Svi and Sp are identical, 
because the disk being played is the onginal disk, then 
the hash values are also identca). then verification is 
successful and a signal is sent to the playback device 
16 permitting playback. If S^j and S-, are not identical, 
because the disk being played is a copy of the original 
disk, then their hash values will be drfferern. so that the 
verification process fails, which triggers a signal to the 
playback device 16 to prevent playt>ack. 
Since the content provider is the only one to have 
access to the private key K'\ it is the only one that can 
correctly encrypt tffe serial number or other identifier of 
the original disk. 

[0050] To permit more complex corrtrol over copying, 
further information can be included as part of the copy 
control information, for example, a copy control field 
which is capable of implementng copy generation man- 
agement. 

[0051 ] Figures 8 and 9 explain the general structure of 
another example of a recording apparatus 20 for use by 
a content provider and the steps involved in the produc- 
tion of a pre-recorded copy protected disk. 
[0052] At step si 7. a key pairs generator module 21 
generates key pairs of the public algorithm for signature 
verification. At st^ s18. a reading device 22 reads the 
identifier of the DVD disk 1 . for example a serial number, 
from the read-only part 2 of the disk 1. At step S19. a 
copy control information (CCI) generator 23 produces 
copy control information including a digital signature on 
the basis of the keys, identifier and a copy control field 



from a copy corrtrol field (CCF) database 24. The copy 
control field can take one of at least four values, includ- 
ing Copy-Freely. Never-Copy, Copy-Once and No-More- 
Copy. The actual information which goes to make up the 

5 copy control information will be explained in more detail 
below. At step s20, a recording module 25 reads the 
data to be written to the DVD disk 1 from a data archive 
26 and at step s2l . writes the data and the copy control 
information from the CCI generator 23 to the DVD disk 1 

10 to produce the finished copy protected pre-recorded 
DVD disk. 

[0053] The gene-al structure and functionality of a 
DVD player has already been described by reference to 
Figures 5 and 6. 

15 [0054] Figure 1 0 illustrates the structure of a recording 
device 30 in accordance with the invention for use by 
consumers to record data onto recordable disks. Refer- 
ring to Figures 10 and 1 1 . at step s22, the input signal 
processor module 31 receives copy control information 

20 and data to be recorded from a disk player 13 as 
described above, and sends them to a CCI verifier mod- 
ule 32 and a CCt generator 33. At step s23, the CCI ver- 
ifier 32 attempts to verify the copy control irrformation. 
The CCI verifier 32 performs the same verification func- 

25 tion as the CCI verifier 15 in the player 13, and if the 
player and recording device are implemented as a sin- 
gle unit, the verifier 32 is implemented by the same cir- 
cuitry or by the same software function. If. however, the 
recording device 30 is a separate unit from the player 

30 13. the CCI verifier 32 is implemented as a double 
checking facility and to provide a verification function for 
a player which may not include copy protection facilities. 
[0055] If verification fails at this stage (s23), control 
passes to step s29. and recording of the data onto a 

35 new disk is prevented. If verification succeeds, then 
control passes to step s24. at which the CCI verifier 32 
determines if the copy control field indicates that the 
data can be freely copied, for example, because of the 
presence of a Copy-Freely flag. If the data can be freely 

40 copied, control passes to step s28, at which the record- 
ing module 34 records the copy control information and 
the data to a new disk 35. If. at step s24. the copy con- 
trol information irxlicates that data cannot be freely cop- 
ied, control passes to step s25. at which the CCI verifier 

45 32 determines if the copy control f tekj indicates that the 
data can be copied only once, for example, because of 
the presence of a Copy -Once flag. If the flag is not a 
Copy-Once flag, the conclusion is that a Never-Copy or 
No-More-Copy flag is set, and control also passes to 

so step s29 where recording is prevented. H. on the other 
hand, at step s25. the copy control information indicates 
that the Copy-Once flag is set. corrtrol passes to step 
s26. at which the reading device 36 reads the medium 
identifier of the new disk 35 from the read-only part of 

55 that disk and sends this identifier to the CCI generator 
33. At step s27, the CCI generator changes the copy 
control field from Copy-Once to Copy-No-More and 
generates new copy control information to be recorded 
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onto the disk 35 by the recording module 34. The nature 
of the new copy control information is explained in detail 
below. 

[0056] The precise nature of the copy control informa- 
_tion_whichJS-written_to.an_original disk-depends_onJhe„ 
level of protection which a content provider wishes to 
achieve. For example, the provider may decide that the 
content of. for example, its DVD-audio disk can never be 
copied. On the other hand, the provider may wish to 
provide its customers with the ability to make a back-up 
copy of the onginal, but not to produce further copies. 
The way in which these goats can be achieved is 
explained below using the following notation: 
[0057] ID is information identifying the content pro- 
vider This can include the provider's name, the name of 
the content, its date of production and so on. CCF rep- 
resents the copy control field, which can take the values 
Copy-Freely. Never-Copy. Copy-Once and No-More- 
Copy, as explained above. A and A' are used as conven- 
ient notation to group the provider dependent informa- 
tion ID and CCF together, for example, by 
concatenation. such that A = ID : CCF and 
A* a ID : CCF , where CCF' represents a change in the 
value of the copy control field when recording onto a 
new disk Sj.Sc and Sp are disk identifiers printed on the 
read-onfy part of the disk. They cannot therefore be 
changed by the consumer. represents ttie disk iden- 
tifier of the original disk, Sc represents the disk identifier 
of the disk to which the original disk can be legitimately 
copied and Sp represents the disk identifier of the disk 
being played. It will be understood that Sp can take the 
values of S^ and S^ where, respectively, the original disk 
and a legitimate copy of the original disk, are being 
played- Ka and 



are key pairs tor the digital signature of the content pro- 
vider. Km and ' 



as described above for the first example. The reading 
device 22 then reads S^j from the read-only part of the 
disk 1 (s32) and the CCl generator 23 calculates the 
digital signature 



are key pairs for the digital signature required to imple- 
ment the CGMS scheme, for example to ensure that a 
copy is only made from the original and not from a copy 
of the original. 

[0058] Referring to Figures 8 and 12. in the case 
where a content provider wishes to prohibit all copying 
from the original disk, including the making of a backup 
copy, at step s30. the CCF flag is set to Never-Copy. At 
step s3l, the key pairs generator module 21 generates 
key pairs and 



K 



25 



30 



SigKA-» (Sd, A) 



at step s33. The copy control information in this case 
10 comprises 



SigKA-t (Sd, A). 



75 A and K/^ The recording module 25 then reads data 
from the data archive 26 (s34) and at step s35 writes the 
data to the disk 1 together with the copy control informa- 
tion from the CCl generator 23. 

[0059] Referring to Figures 5 and 13. when a DVD 
20 disk 1 encoded with the above data is inserted into a 
DVD player 13. at step s40 the reading device 14 reads 
Sp from the read-only part 2 of the disk 1 . It alsojreads 
the copy control information, namely A. and 



SigKA-i (Sd, A), 



from the data area 3. The CCl verifier 15 then verifies 
the digital signature 



Sig^A-i (Sd, A) 



using S^. A arnj Ka at step s41. If the verrficaton suc- 
35 ceeds, control passes to step s42 and the data is played 
back. Otherwise, control passes to step s43. where 
playback of data is prevented. To further explain the 
operation of this example, the verification process is 
explained in detail below. 
40 [0060] Knowing Sp read from the identification area 2 
of the disk and A read from the data area 3 of the disk 1 . 
it is possible to calculate a function c' using a one-way 
hash function H. such that c' = H(m) . where 
m = (Sp, A) . Therefore, c* = H(Sp. A) . 
45 [0061] The function H is the same function as was 
used at the recording apparatus 20 to produce a func- 
tion c - H( S A) . This function is obtained by decrypt- 
ing 



SigKA-i (Sd, A) 



using the public key K^ read from the data area 3 of the 
diskV 

55 [0062] If c = c\ ie. H{S^. A) = H(S p. A) . this verifies 
that both A and Sp are unchanged from the time of 
recording, and in particular that Sp = S . namely that 
the serial number on the disk being played is identical to 
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the serial number of the disk on which the data was 
recorded. On the assunrption that the serial numbers 
are unique, this means that the disk being played is the 
original disk and so playback of the data it contains is 
permitted. If the verification fails, the disk being played 5 
is assumed to be a copy and playtack is therefore pre- 
vented. 

[0063] Referring to Figures 8 and 14, in the case 
where a content provider wishes to provide the facility 
for the making of a backup copy from the original disk 
only, step s50 is to set the Copy Control Reld to Copy- 
Once. At step s5i, the key pairs generator module 21 
generates key pairs and Ka'V as well as and 
\ The reading device 22 then reads from the read- 
only part of the disk 1 (s52) and the CCI generator 23 
calculates the digital signature 

SigKA-i (Sa, A, Km) 

at step s53 The recording module 25 then reads data 
from the data arcrt ve 26 (s54) and at step s55 writes the 
data to the disk 1 together with the copy control informa- 
tion from the CCI generator 23, which comprises A. K;^ 
Km. Km"^ and 

SigKvi (Sd, A, Km). 



[0064] Referring to Figures 5 and 15. when a DVD 
disk 1 , encoded with the above data, is inserted into a 
DVD player 1 3, at step s60. the reading device 1 4 reads 
Sp from the read-only part 2 of the disk 1 . It also reads 
the copy control information, namely A. Ka. K^, K^'^ 
and 

SigK^ I (Sd, A, KJ 

from the data area 3 of the disk 1 . The CCI verifier mod- 
ule 1 5 then verifies the digital signature 

SigKA-i (Sd, A, Km) 

using S^. A. and Ka (step s61) as e^lained in detail 
above. If the verification succeeds, control passes to 
step s62 and the data is played back. Otherwise, control 
passes to step s63. where playkDack of data is pre- 
vented. 

[0065] Since it is permitted to make a backup copy of 
the original disk, the detailed operation of the recording 
device 30 shown in Figure 1 0. is set out in the f bwchart 
of Figure 16. Referring also to Figures 10 and 15. steps 
s70 and s71 are identical to steps s60 and s61 as car- 
ried out by the playback device. If the verificatbn proce- 
dure fails, all further processing is stopped at step s72. 



The purpose of including K^^ in the verification proce- 
dure is to ensure that K^ has not been falsified, since 
both parts of the key pair K^ 

Km 1 

and are included, and therefore available to a potential 
infringer, on the original disk If the verification proce- 
dure succeeds, then at step s73. the reading device 36 
reads Sc from the read-only part of the destination disk 
35. The CCI generator 33 changes the copy control field 
of A from Copy-Once to No-More-Copy and stores it as 
A* (s74). It then calculates the digital signature 

SigKM-i(Sc, A') 

(s75) and at step s76 writes S^. A, K^^. Ka. 

SigKA-i(Sd, A, Km), 

A and 

(Sc. A*) to the data area 3 of the destination disk 35. 
[0066] Refen-ing to Figures 5 and 1 7, to play back data 
from a disk which is marked with a No-More-Copy flag, 
at step s80 the reading device 14 reads Sp. from the 
read-only part 2 of the disk 35. It also reads the copy 
control information, namely Sd, A, K^, Ka, 

SigKA i(Sd, A, Km). 

A and 

SigKMi(Sc, A') 

from the data area 3 of the disk (s81). The CCI verifier 
1 5 then verifies the digital signature 

SigKA-i(Sd, A, Km) 

using Sd. A, Km (s82). This step verifies that the key Km 
used in the second part of the verification process has 
not itself been falsified. If verification fails, playback is 
stopped (step s85). If verification succeeds, then at step 
s83. the CCI verifier module 15 verifies the second dig- 
ital signature 
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8. Apparatus according to claim 7, wherein the verifi- 
cation information is digitally signed, and the 
authentication means comprises means tor verify- 
ing a digital signature. 

'97^ Apparatus according to any preceding claim, fur- 
ther comprising means for controlling the recording 
of data from the medium. 



SigKM-i(Sc, A') 

using Sp, A' and K^. If Sp = S^. , then this step verifies 
-that the copied disk has-not itseH been copiedr so pre- 
venting playback of second generation copies. \f verifi- 
cation succeeds the playt^ack device 17 plays back the 
data (sd4), otherwise play back is prevented (sd5). 
[0067] It be appreciated that the method according 
to the invention can be used in any general digital 
recording system where a unique or nearly unique iden* 
trfier can be associated with a storage medium. This 
includes, for example, smart card RAM memories with 
some ROIV! memory for immutable storage of the identi- 
fier. 

[0068] It will further be appreciated that although a 
scheme based on the public key algorithm has been 
described in detail, other means of implementing a dig- 
ital signature are not excluded. 

Claims 

1 . Apparatus for processing data stored on a storage 
medium which has a medium identifier, the appara- 
tus including means for controlling the processing 
of the stored data in dependence on the relation- 
ship between the medium identifier and verification 
information for the medium identifier stored on the 
medium. 

2. Apparatus according to claim 1, wherein the 
medium identifier is stored on a read-only part of 
the medium. 

3. Apparatus according to claim 1 or 2, wherein the 
medium identifier comprises a first medium idertti- 
fier and the verification information includes a sec- 
ond medium identifier. 

4. Apparatus according to daim 3. wherein the con- 
trolling means is responsive to a connparison 
between the first medium identifier and the second 
medium identifier. 

5. Apparatus according to daim 4, wherein the con- 
trolling means prevents playback of the data if the 
first and second medium identifiers are different. 

6. Apparatus according to claim 4 or 5, wherein the 
controlling means prevents recording of the data if 
the first and second medium identifiers are differ- 
ent. 

7. Apparatus according to any preceding daim. fur- 
ther comprising means for authenticating the verifi- 
cation information. 



10 10. Apparatus according to daim 9. wherein the record- 
ing control means is responsive to copy control data 
stored on the medium. 

11. Apparatus according to claim 10, wherein the copy 
15 control data specifies that the medium can be cop- 
ied freely, copied once or cannot be copied. 

12. Apparatus according to claim 10 or 11 , wherein the 
copy control data is digitally signed. 

20 

13. Apparatus according to any preceding claim com- 
prising a DVD player. 

14. Apparatus according to daim 13. wherein the 
25 medium copiprtses a DVD disk. 

15. A method of processing data stored on a storage 
medium which has a medium identifier and verifica- 
tion information for the identifier stored on the 

30 medium, comprising controlling the processing of 
the stored data in dependence on the relationship 
between the medium identifier and the verification 
information. 

35 1 6. Recording apparatus for recording data onto a data 
storage medium having a medium identifier, com- 
prising means for producing verification information 
for the medium identifier, said verification informa- 
tion to be stored on the medium. 

40 

17. Apparatus according to claim 16, includir»g means 
for digitally signing the verification information. 

18. Apparatus according to claim 16 or 17, wherein the 
45 verification information comprises the medium 

identifier. 

19. Apparatus according to any one of claims 16 to 18 
including means for controlling recording onto the 

50 medium in response to copy control data stored on 
a medium from which the data is being recorded. 

20. A method of recording data onto a data storage 
medium having a medium identifier, comprising 

55 producing verification information for the medium 
identifier to be stored on the medium. 

21. A method according to claim 20. comprising read- 
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ing the medium identifier from a read only part of 
the medium. 

22. A method according to claim 20 or 21, comprising 
protecting the verification information using a digital s 
signature. 

23. A data storage medium comprising a medium iden- 
tifier and verification information for the identifier 
stored on the medium. io 
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